Google Git
Sign in
kernel / pub / scm / linux / kernel / git / stable / stable-queue / 596ceabe8ecd2a4ef350d03f53e70790892d8d15 / . / releases / 2.6.27.5 / libertas-fix-buffer-overrun.patch
blob: a1ed3746127d9ccb826a5e7c72451647b6e1d0ac [file] [log] [blame]
From jejb@kernel.org Tue Nov 4 11:44:30 2008
From: Johannes Berg <johannes@sipsolutions.net>
Date: Sun, 2 Nov 2008 19:30:21 GMT
Subject: libertas: fix buffer overrun
To: jejb@kernel.org, stable@kernel.org
Message-ID: <200811021930.mA2JULX5009457@hera.kernel.org>
From: Johannes Berg <johannes@sipsolutions.net>
commit 48735d8d8bd701b1e0cd3d49c21e5e385ddcb077 upstream
If somebody sends an invalid beacon/probe response, that can trash the
whole BSS descriptor. The descriptor is, luckily, large enough so that
it cannot scribble past the end of it; it's well above 400 bytes long.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/net/wireless/libertas/scan.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/wireless/libertas/scan.c
+++ b/drivers/net/wireless/libertas/scan.c
@@ -598,8 +598,8 @@ static int lbs_process_bss(struct bss_de
switch (elem->id) {
case MFIE_TYPE_SSID:
- bss->ssid_len = elem->len;
- memcpy(bss->ssid, elem->data, elem->len);
+ bss->ssid_len = min_t(int, 32, elem->len);
+ memcpy(bss->ssid, elem->data, bss->ssid_len);
lbs_deb_scan("got SSID IE: '%s', len %u\n",
escape_essid(bss->ssid, bss->ssid_len),
bss->ssid_len);